components/server/mail: init

TODO.md

 TODO list sorted by priority:
   * workflow: set up patchouli to have regular and automated backups
+  * updates: make autoUpgrade pull the git repo and verify navi's sig
   * security: security hardening through sandboxing
   * security: tor profiles and fix iana

components/server/default.nix

@@ -4,5 +4,6 @@
     ./monitor.nix
     ./chat.nix
     ./projects.nix
+    ./mail.nix
   ];
 }

components/server/mail.nix

+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.navi.components.mail-server;
+  cert = config.security.acme.certs."${cfg.root_domain}".directory;
+in
+{
+  imports = [
+    <nixos-mailserver>
+  ];
+
+  options.navi.components.mail-server = {
+    enable = mkEnableOption "Enable navi's mail server";
+    accounts = mkOption {
+      type = mailserver.loginAccounts.type;
+      description = ''
+        List of accounts and per-accounts rules for the mail server.
+      '';
+    };
+    domains = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = ''
+        The domains this mailserver should serve.
+      '';
+    };
+    root_domain = mkOption {
+      type = types.str;
+      default = "";
+      description = ''
+        The root domain this server will identify itself as when
+        sending and receiving mails.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    mailserver = {
+      enable = true;
+      fqdn = cfg.root_domain;
+      domains = cfg.domains;
+      certificateScheme = 1;
+      certificateFile = "${cert}/fullchain.pem";
+      keyFile = "${cert}/key.pem";
+      dkimSelector = config.navi.device;
+      dkimKeyBits = 2048;
+      loginAccounts = cfg.accounts;
+    };
+    navi.components.web-server = {
+      enable = true;
+      # this server is a stub that we still need to setup for acme, so we just
+      # make it stay up whenever and return a nice error code :)
+      domains."${cfg.root_domain}".return = "418";
+    };
+  };
+}